Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Dartmouth College Merchant Credit Card Policy for Managers and Supervisors"

Transcription

1 Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the Payment Card Industry Data Security Standard (PCI DSS). The purpose of the Merchant Credit Card Policy is to protect our customers credit card data, to uphold the College s reputation, to reduce the financial costs associated with a breach of credit card information and to outline best practices for all aspect of credit card transactions. Background PCI DSS was established by the credit card industry in response to an increase in identity theft and credit card fraud. Every merchant who handles credit card data is responsible for safeguarding that information and can be held liable for security compromises. This standard has 12 requirements, including controls for handling credit card data, computer and internet security and an annual self assessment questionnaire. The College launched the Card Privacy and Control (CPAC) Project In The project objective was to review all credit card merchant accounts, identify all the systems, applications and devices that process, store or transmit cardholder data. CPAC has identified and assisted in the implementation of any business or technological changes required to comply with PCI DSS. Entities Affected By This Policy Any College department that accepts credit card payments and retains sensitive cardholder data in paper or electronic format must comply with the Policy. Who Should Read This Policy Any departmental staff that conducts college business through credit card transactions. There are two versions of the Merchant Credit Card Policy. Merchant Credit Card Policy for Processors (how to handle credit card information) Any persons including part-time students with the responsibilities of processing, storing or transmitting credit card data. Merchant Credit Card Policy for Supervisors and Managers (detailed version) Any supervisors or managers with the responsibilities of processing, storing or transmitting credit card data. This includes Executive or Fiscal Officers who oversees the department. January 2015 Page 1 of 13

2 What is PCI Data Security Standard The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. The PCI standard is comprised of 12 requirements. They are summarized below but more detail can be found at: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security January 2015 Page 2 of 13

3 Compliance Certification Process I Purchasing a system or application Departments that require a system or application to process credit card data must contact Procurement (Strategic Sourcing) and Computing Services (IT Security Engineer) before initiating the purchase. Procurement and Computing Services must approve any contract with a third party vendor which must be PCI compliant. II Opening a Merchant Account The departments interested in accepting payments for goods and services via a credit card must obtain a Merchant Account Request Form from Institutional Accounting and send it back for approval at least three weeks prior to accepting credit card transactions. Upon approval, Institutional Accounting will establish a new merchant account. Merchants with Phone, Mail, Fax or Counter Sales Credit Card Processing Departments using terminal (VeriFone) via phone line must meet following business requirements: 1. Cardholder and merchant receipts must print only last four digits of the credit card number. Expiration dates must be excluded 2. Any terminal that does not meet the above requirement must be reprogrammed or a new terminal must be purchased or leased by Department 3. Merchant Account Request Form has been submitted and approved by Institutional Accounting Office 4. Complete initial Self-Assessment Questionnaire (SAQ) according to instructions from the Institutional Accounting Office 5. Reconciliation between the Software or Payment Application and General Ledger is completed at least once a month 6. Background checks per HR policy may be required per PCI Requirement 12 Paper documents containing credit card data should be secured in a locked office and stored in a cabinet. In an open office environment paper documents should be stored in locked cabinets. Paper documents should not be left in an unsecured office after work hours. Please refer to Retention section for instructions. Merchants with Internet Related Software, Point-of-Sale or Wireless Processing January 2015 Page 3 of 13

4 Departments are not permitted to process, store or transmit credit card data on College s computer systems or Internet without approval from Institutional Accounting, Computing Services and Dartmouth PCI Review Board. Any third party vendors must be PCI approved and compliant. Merchants who use payment application systems (for example, point-of-sale) are connected to the Internet (via high speed connection, DSL, cable modem, etc), software applications installed on College computers or wireless device must meet the following requirements: 1. Passes architecture review by Computing Services (IT Security Engineer) 2. Software, application or wireless device is on the Payment Application Data Security Standard (PA-DSS) list effective October You can check at gory=standards 3. Complete initial Self-Assessment Questionnaire (SAQ) according to instructions from the Institutional Accounting Office 4. Contact Computing Services (IT Security Engineer) to set up a quarterly vulnerability scan 5. No access to 16 digit credit card numbers 6. Merchant Account Request Form has been submitted and approved by Institutional Accounting 7. Reconciliation between the software or Payment Application and General Ledger is completed at least once a month 8. Background checks per HR policy may be required per PCI Requirement 12 III Closing a Merchant Account When a merchant account is no longer used, contact and provide the merchant account number(s) that should be closed. Please contact Materials Management regarding the disposal of all college property and they will direct the disposal of the equipment. IV Confidentiality Form All individuals involved in processing, storing or transmitting credit card data must sign a PCI Confidentiality Statement. See Exhibit 1 V Self-Assessment Questionnaire (SAQ) The SAQ is a validation tool that must be completed by merchant account holders before an account will be set up and annually thereafter be able to demonstrate compliance with the PCI DSS. If there is a significant change to business process or system application then a new SAQ must be submitted. January 2015 Page 4 of 13

5 VI Changes to Merchant Accounts Changes to an existing merchant account must be approved by Institutional Accounting and/or Computing Services. Examples of changes are: purchasing or discarding a terminal, purchasing software, selecting a new service provider, etc. A new SAQ must be completed whenever there is a major change to system, application or process involving credit card information. VII Checklist for Merchant Account Owners See Exhibit 2 Reconciliation The department, owning the merchant account, will receive a weekly/monthly statement of activity from the credit card processor. This statement must be reconciled to the settlement reports from your machine/software/web site as well as to your account in the College s General Ledger using the applicable and appropriate reports. Compliance Issues Faculty, staff, or students may report PCI compliance problems through standard management channels, beginning with the immediate supervisor. Alternatively, inquiries or reports may be addressed to the Ethics Point: Local Policies Retention PCI DSS recommends keeping to a minimum the credit card information that is retained. Local policy should make it a practice not to retain sensitive cardholder data. Limit your storage amount and retention time to that which is required for legal or regulatory purposes. Electronic - The College policy is no credit card data will be stored on laptops and/or PC s. Computing Services must approve any systems or applications that process, store or transmit credit card data. Paper Files with credit card information should be stored in a secure area on site for 18 months to 2 years and then placed in Records Management for the remainder of the retention period. The College recommends only keeping the information for 3 years. The files should be securely disposed of directly from Records Management. Any paper containing credit card data must be shredded before disposal. January 2015 Page 5 of 13

6 Changes Before making any changes to your technical architecture or business practices regarding credit cards you should insure that you remain in compliance with PCI data security requirements. You should contact Computing Services (IT Security Engineer) to conduct a Quality Scan Assessment prior to placing any systems or application changes into production. Chargeback The bank will notify a merchant of a disputed charge. The merchant is responsible to provide the bank with written proof that the transaction was authorized by the customer. If you are experiencing frequent chargeback complaints or suspect fraud contact the Office of Risk and Internal Controls Services at Refunds When an item or service is purchased using a credit card, and a refund is necessary, the refund must be credited to the same credit card account from which the purchase was made. In addition, under no circumstances is it permissible to issue cash refund. January 2015 Page 6 of 13

7 Glossary More definitions can be found at PCI DSS site Application Includes all purchased and custom software programs or groups of programs designed for end users, including both internal and external (web) applications Backup Cardholder Cardholder data Chargeback Data Entry Processor Encryption Merchant Merchant Account SAQ Sensitive Data Duplicate copy of data made for archiving purposes or for protecting against damage or loss Customer to whom a credit is issued or individual authorized to use the card Full magnetic stripe or the PAN plus any of the following: * Cardholder name * Expiration date * Service Code Process when the cardholder contacts the credit card company or the issuing bank regarding an inconsistency in their credit card statement. The issuing bank will credit back to the cardholder for the disputed transaction then charge a fee to the merchant An individual who is responsible for credit card data entry for day-to-day operations Process of converting information into an unintelligible form except to holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure A unit that accepts credit cards as a method of payment for goods, services, information, or gifts An account established for a unit by a bank to credit sale amounts and debit processing fees Self-Assessment Questionnaire is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures, which may be required by your acquirer (bank) or payment brand Sensitive Data include, the account number, magnetic stripe data, CVV2/CVC2 and expiration date January 2015 Page 7 of 13

8 Service Code Three- or four-digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction Responsibilities: 1) General Responsibilities for Processors: You should NOT do the following: 1. Do not transmit cardholder s credit card data by or fax 2. Do not store credit card data for repeat customers on paper in an unsecured area 3. Do not store PIN or CVV2/CVC2/CID number 4. Do not electronically store on the College s computer file or server any unencrypted credit card data 5. Do not electronically store any credit card data on laptop or PCs 6. Do not share user IDs for systems access 7. Never acquire or disclose any cardholder s data without the cardholder s consent You should DO the following: 1. Store all physical documents containing credit card data in a locked drawer, locked file cabinet, or locked office 2. Maintain strict control over the internal and external distribution that contains credit card data 3. Change vendor supplied or default passwords 4. Ensure that all passwords conform with Computing Services rules and recommendations: 5. Properly dispose of any media containing credit card data 6. If you receive an unencrypted from customer with credit card data notify the customer that they should no longer send this information via and delete immediately. 2) General Responsibilities for Executive Officers, Fiscal Officers, Management Officers and Systems Managers: 1. Comply with Payment Card Industry Data Security Standard (PCI DSS) 2. Obtain approval by Institutional Accounting, Procurement Services and Computing Services prior to entering into any contract, purchase, acquisitions, or replacement equipment, software, Internet provider, or wireless device 3. Submit for approval any new merchant accounts to Institutional Accounting 4. Establish procedures to restrict physical access to data or systems that house cardholder data January 2015 Page 8 of 13

9 5. Communicate the Dartmouth College Merchant Credit Card Policy to all employees 6. Restrict access to credit card data by business need-to-know basis 7. Establish appropriate segregation of duties between personnel handling credit card processing, refunds and reconciliations 8. Perform background checks on employees who have access to systems, networks and multiple credit card information. This does not include personnel who have access to one card number at a time 9. Assign a unique ID to each person with computer access to credit card data 10. Do not allow credit card data to be sent by or fax 11. Do not allow the storage of PIN or CVV2/CVC2/CID numbers 12. Do not allow electronic storage of any credit card data on the College s computer files or servers except for systems and applications that have been approved by Computing Services 13. Do not allow electronic storage of any credit card data on laptop or PCs 14. Do not allow outside consultants to store credit card data on their own PC equipment 15. Do not allow employees to share user IDs for systems access 16. Do not allow the use of imprint machines to process credit card payments except in an emergency situation (e.g. power outage) 17. Never allow the disclosure of cardholder s data without the cardholder s consent January 2015 Page 9 of 13

10 Exhibit 1 Dartmouth College Payment Card Industry Data Security Confidentiality / Non-Disclosure Statement - Managers and Supervisors As a member of the staff of Dartmouth College, I acknowledge that in the course of my employment I may have access to personal, proprietary, transaction-specific, and /or otherwise confidential data concerning faculty, staff, students, alumni and/or other persons through the processing of credit card transactions. As an individual with responsibilities for processing, storing and/or transmitting credit card data, I may have direct access to sensitive and confidential information in paper or electronic format. To protect the integrity and the security of the systems and processes as well as the personal and proprietary data of those to whom the College provides service, and to preserve and maximize the effectiveness of College s resources, I agree to the following: I will maintain the confidentiality of my password and will not disclose it to anyone. I will utilize credit card data for College business purposes only. I will uphold Dartmouth College s Code of Ethical Business Conduct, available at Ethics Point: and I agree to abide by it. I have been provided a written copy of the College s Merchant Credit Card Policy regarding the proper storing, protection, and disposal of such confidential data and I will ensure that any such data is shredded or otherwise disposed of as per approved office policy when no longer needed. I have read, understand, and agree to abide by Dartmouth College Merchant Credit Card Policy. The use of sensitive credit card data for personal purposes is illegal and is grounds for termination. The abuse of systems access or unauthorized disclosure or distribution of any customer s credit card data may result in prosecution. Name (Print) Signature/Date January 2015 Page 10 of 13

11 Department Phone # January 2015 Page 11 of 13

12 Exhibit 2 Payment Card Industry Data Security Standard (PCI DSS) Checklist for Merchant Account Owner Department Merchant Account Owner Item Description Contacts Completion Date Comments 1 Get an approval from Procurement and Computing Services before purchase or lease a system or application to process credit card transactions. 2 Complete PCI Online Training via Canvas Procurement - Strategic Sourcing Computing Services IT Security Engineer Institutional Accounting 3 Complete a Self-Assessment Questionnaire (SAQ) 4 Open a Merchant Account Institutional Accounting The SAQ must be completed before a Merchant Account will be set up. It takes 3 weeks to process a merchant account request. 5 Background Checks for new and transfer employees per HR policy 6 Have all staff and students who process, store and transmit credit card data sign the Confidentiality Statement 7 Changes to the existing Merchant Account must be communicated to the Institutional Accounting Institutional Accounting Computing SERV Changes to a system such as an upgrade, new terminal or selecting a new service provider. January 2015 Page 12 of 13

13 8 Close a Merchant Account Institutional Accounting Material s MGT For purchased terminal disposal please contact Material MGT Computing SERV January 2015 Page 13 of 13

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card

More information

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents UNL PAYMENT CARD POLICY AND PROCEDURES Table of Contents Payment Card Merchant Security Standards Policy and Procedures... 2 Introduction... 4 Payment Card Industry Data Security Standard... 4 Definitions...

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services Louisiana State University Finance and Administrative Services Operating Procedure FASOP: AS-22 CREDIT CARD MERCHANT POLICY Scope: All campuses served by Louisiana State University (LSU) Office of Accounting

More information

Standards for Business Processes, Paper and Electronic Processing

Standards for Business Processes, Paper and Electronic Processing Payment Card Acceptance Information and Procedure Guide (for publication on the Treasury Webpages) A companion guide to University policy 6120, Payment Card Acceptance Standards for Business Processes,

More information

TERMINAL CONTROL MEASURES

TERMINAL CONTROL MEASURES UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University

More information

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business

INFORMATION SECURITY POLICY. Policy for Credit Card Acceptance to Conduct College Business DELAWARE COLLEGE OF ART AND DESIGN 600 N MARKET ST WILMINGTON DELAWARE 19801 302.622.8000 INFORMATION SECURITY POLICY including Policy for Credit Card Acceptance to Conduct College Business stuff\policies\security_information_policy_with_credit_card_acceptance.doc

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

POLICY SECTION 509: Electronic Financial Transaction Procedures

POLICY SECTION 509: Electronic Financial Transaction Procedures Page 1 POLICY SECTION 509: Electronic Financial Transaction Procedures Source: NDSU President NDSU VP for Finance and Administration NDSU VP for Information Technology A. Purpose / Rationale Many NDSU

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: Boston College Policy ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS: PURPOSE OF POLICY: The purpose of this policy is to establish procedures for accepting payment cards at Boston College

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101. DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants POLICY & PROCEDURE DOCUMENT NUMBER: 3.3101 DIVISION: Finance & Administration TITLE: Policy & Procedures for Credit Card Merchants DATE: October 24, 2011 Authorized by: K. Ann Mead, VP for Finance & Administration

More information

Policies and Procedures

Policies and Procedures Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,

More information

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit

More information

University Policy Accepting and Handling Payment Cards to Conduct University Business

University Policy Accepting and Handling Payment Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy

More information

Saint Louis University Merchant Card Processing Policy & Procedures

Saint Louis University Merchant Card Processing Policy & Procedures Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.

More information

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and

More information

Vanderbilt University

Vanderbilt University Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i.

A8.700 TREASURY. This directive applies to all campuses of the University of Hawai i. Prepared by Treasury Office. This amends A8.710 dated July 2001. A8.710 April 2005 A8.700 TREASURY P 1 of 5 A8.710 Credit Card Program 1. Purpose To provide uniform procedures for the processing of credit

More information

PCI COMPLIANCE GUIDE For Merchants and Service Members

PCI COMPLIANCE GUIDE For Merchants and Service Members PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...

More information

CREDIT CARD POLICY DRAFT

CREDIT CARD POLICY DRAFT APPROVED BY Ronald J. Paprocki I. Policy Statement Any office of the University that processes credit card transactions may do so only in the manner approved by the University Treasury Office and in compliance

More information

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011 CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...

More information

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October

CREDIT CARD NUMBER HANDLING PROCEDURES POLICY. 2014 October CREDIT CARD NUMBER HANDLING PROCEDURES POLICY 2014 October Royal Roads University Page 1 of 6 21 October 2014 Table of Contents Policy Statement... 3 Rationale... 3 Applicability of the Policy... 3 Definitions...

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Policies and Procedures. Merchant Card Services Office of Treasury Operations

Policies and Procedures. Merchant Card Services Office of Treasury Operations Policies and Procedures Merchant Card Services Office of Treasury Operations 1 Welcome! Table of Contents: Introduction Establishing Payment Card Services Payment Card Acceptance Procedures Payment Card

More information

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI)

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI) CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave

More information

Office of Finance and Treasury

Office of Finance and Treasury Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive

More information

UW Platteville Credit Card Handling Policy

UW Platteville Credit Card Handling Policy UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit

More information

University of Virginia Credit Card Requirements

University of Virginia Credit Card Requirements University of Virginia Credit Card Requirements The University of Virginia recognizes that e-commerce is critical for the efficient operation of the University, and in particular for collecting revenue.

More information

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Viterbo University Credit Card Processing & Data Security Procedures and Policy The requirements for PCI-DSS compliance are quite numerous and at times extremely complicated due to their interdependent nature and scope. The University has deemed it necessary for those areas currently

More information

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING

COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING COLLEGE POLICY ON CREDIT/DEBIT CARD PAYMENT PROCESSING Supersedes: None Date: March 17, 2014 I. PURPOSE To establish business processes and procedures for the processing of credit/debit card payments as

More information

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures Background Colleges and universities have traditionally had open networks of information that foster the exchange

More information

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration

Andrews University Payment Card Acceptance Policies & Procedures. Prepared by Financial Administration Andrews University Payment Card Acceptance Policies & Procedures Prepared by Financial Administration July 12, 2011 Part I: Introduction of Policy and Purpose Formatted: Font: 12 pt In order to protect

More information

CARD PAYMENT POLICY May 2016

CARD PAYMENT POLICY May 2016 CARD PAYMENT POLICY May 2016 1. Introduction All businesses that handle card payment data are required to comply with industry rules aimed at increasing data security. These are set out in the Payment

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

PCI Policies 2011. Appalachian State University

PCI Policies 2011. Appalachian State University PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements

More information

Clark University's PCI Compliance Policy

Clark University's PCI Compliance Policy ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card

More information

PCI DSS SECURITY AWARENESS

PCI DSS SECURITY AWARENESS PCI DSS SECURITY AWARENESS Annual Education Module James Madison University University Business Office Compliance Specialist TRAINING AUDIENCE The following training module should be completed by all University

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

New York University University Policies

New York University University Policies New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

University Policy Accepting Credit Cards to Conduct University Business

University Policy Accepting Credit Cards to Conduct University Business BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Ball State University Credit/Debit Card Handling Policy and Procedures

Ball State University Credit/Debit Card Handling Policy and Procedures Ball State University Credit/Debit Card Handling Policy and Procedures I. Background Ball State University accepts payments in various forms including cash, checks and electronic fund transfers. University

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Payment Card Acceptance Administrative Policy

Payment Card Acceptance Administrative Policy Administrative Procedure Approved By: Brandon Gilliland, Associate Vice President for Finance & Controller Effective Date: October 1, 2014 History: Approval Date: September 25, 2014 Revisions: Type: Administrative

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standards. Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing

More information

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9. 95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Policy for Accepting Payment (Credit) Card and Ecommerce Payments Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 Revision Control Document Title: File Reference: Credit Card Handling Policy and Procedure PCI Policy020212.docx Date By Action Pages

More information

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference

DATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference 2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the

More information

Liverpool Hope University. PCI DSS Policy

Liverpool Hope University. PCI DSS Policy Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council

More information

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 Information updated: 21 October 2012 SAFEGUARDING CARDHOLDER

More information

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS

POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Publication Date 2009-08-11 Issued by: Financial Services Chief Information Officer Revision V 1.0 POLICY NAME : MERCHANT (PCI) POLICY AND PROCEDURES ACCEPTING CREDIT/DEBIT CARD PAYMENTS Overview: There

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Emory University & Emory Healthcare

Emory University & Emory Healthcare Emory University & Emory Healthcare Payment Card Processing and Compliance Policy and Procedures Manual Office of Cash and Debt Management Mailstop 1599-001-1AE 1599 Clifton Road, 3 rd Floor Atlanta, GA

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm

http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Section: Accounting Revised Date: 05/31/2011 Procedure: 2.2.23 Credit Card Acceptance Home Page http://www4.uwm.edu/bfs/depts/acct/creditcardacceptance/credit-card-acceptance.cfm Operating Principles:

More information

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS

ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS UNIVERSITY OF NORTH DAKOTA FINANCE & OPERATIONS POLICY LIBRARY ACCEPTING CREDIT CARDS AND ELECTRONIC CHECKS TO CONDUCT UNIVERSITY BUSINESS Policy 2.3, Accepting Credit Cards and Electronic Checks to Conduct

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard

More information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc. PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected. worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected. The 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS) by type Build

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

Sales Rep Frequently Asked Questions

Sales Rep Frequently Asked Questions V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing

More information

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS

WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS WASHINGTON STATE UNIVERSITY MERCHANT ACCOUNT AGREEMENT FOR UNIVERSITY DEPARTMENTS I. Introduction, Background and Purpose This Merchant Account Agreement (the Merchant Agreement or Agreement ) is entered

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS: Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal

More information

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1) PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

Credit and Debit Card Handling Policy Updated October 1, 2014

Credit and Debit Card Handling Policy Updated October 1, 2014 Credit and Debit Card Handling Policy Updated October 1, 2014 City of Parkville 8880 Clark Ave. Parkville, MO 64152 Hours: 8:00-5:00 p.m. Monday -Friday Phone Number 816-741-7676 Email: cityhall@parkvillemo.gov

More information

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures

What To Do if Compromised. Visa USA Fraud Investigations and Incident Management Procedures What To Do if Compromised Visa USA Fraud Investigations and Incident Management Procedures Table of Contents Introduction......................................................... 1 Identifying and Detecting

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

La règlementation VisaCard, MasterCard PCI-DSS

La règlementation VisaCard, MasterCard PCI-DSS La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security

More information

P R O G R E S S I V E S O L U T I O N S

P R O G R E S S I V E S O L U T I O N S PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version

More information